From 561d1d6802dd50ddc9f441442cc2c351dd2759d6 Mon Sep 17 00:00:00 2001
From: Darrell Anderson <humanreadable@yahoo.com>
Date: Wed, 22 Aug 2012 13:05:27 -0500
Subject: Fix a potential resize bug and apply xpdf 3.02pl4 and 3.02pl5
 security patches. This partially resolves bug report 1175.

---
 kpdf/xpdf/fofi/FoFiType1.cc | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

(limited to 'kpdf/xpdf/fofi')

diff --git a/kpdf/xpdf/fofi/FoFiType1.cc b/kpdf/xpdf/fofi/FoFiType1.cc
index efad5ee4..88b35ecc 100644
--- a/kpdf/xpdf/fofi/FoFiType1.cc
+++ b/kpdf/xpdf/fofi/FoFiType1.cc
@@ -224,7 +224,7 @@ void FoFiType1::parse() {
 		code = code * 8 + (*p2 - '0');
 	      }
 	    }
-	    if (code < 256) {
+	    if (code >= 0 && code < 256) {
 	      for (p = p2; *p == ' ' || *p == '\t'; ++p) ;
 	      if (*p == '/') {
 		++p;
@@ -235,9 +235,14 @@ void FoFiType1::parse() {
 	    }
 	  }
 	} else {
-	  if (strtok(buf, " \t") &&
-	      (p = strtok(NULL, " \t\n\r")) && !strcmp(p, "def")) {
-	    break;
+	  p = strtok(buf, " \t\n\r");
+	  if (p)
+	  {
+	    if (!strcmp(p, "def")) break;
+	    if (!strcmp(p, "readonly")) break;
+	    // the spec does not says this but i'm mantaining old xpdf behaviour that accepts "foo def" as end of the encoding array
+	    p = strtok(buf, " \t\n\r");
+	    if (p && !strcmp(p, "def")) break;
 	  }
 	}
       }
-- 
cgit v1.2.1